Disable User ID's or Delete?

Disable User ID\'s or Delete?

We had a meeting today to discuss the topic of disabling user ID's or deleting them. We currently disable accounts in both JDE and AD but we are starting to see a lot of clutter in both systems. Our company has been on JD Edwards for almost 15 years (live from our largest division since about 2005) and over the years we have acquired new divisions, shut down divisions and sold off a couple of other divisions. So we have accumulated a lot of disabled accounts over the years. I realize that all companies are different and have policies and procedures around this area but I'm just looking for feedback on what you do in your company.

I'd create a poll but I don't know how so I'm interested in your opinion on this topic.

Thanks,
Kevin

Re: Disable User ID\'s or Delete?

Kevin,

Excellent Topic!

I might add that there needs to be categories as to which you might 'Delete', when it comes to Consultants, Contractors and/or Seasonal Employees.

For those that might be 'repeat offenders', I would definitely suggest 'Disable' as opposed to Delete. There are few thing more frustrating to Security Folk, than to have to spend the time re-building a profile that they know had been deleted three weeks ago...

There has been, previously, discussion about Oracle's Licensing - and the number of users coming into play. If you have fifteen years of disabled users, does Oracle count those against your licensing (I don't know)....

An additional concern would be auditing. If your organization deals a lot with Dollars, Security or is Publicly Traded - you might want to consider what happens if you are audited. If the organization has to prove that 'someone' had very specific authority - it would be best 'not' to delete.

Some day, all my advice will accrue to an actual cent, until then....

(db)

Re: Disable User ID\'s or Delete?

We're currently disabling too. We also considering applying a role to the disabled users like DISABLED, TERMINATED, NOACCESS (with Application *ALL = N) or something like that just in case their profile gets accidentally re-enabled. Another ideas we've considered is associating their account with database account that has no access or that is locked.

The only thing we've agreed on is we do just want to disable and we're not comfortable with just a simple setting being the barrier to access.

This would be a good poll question.

Re: Disable User ID\'s or Delete?

Thanks for the replies guys! I really appreciate your input.

Personally I'd like to delete the accounts just to clean things up but I understand the need to keep them around as well.

Thanks again,
Kevin